Awesome find. Adding this to the documentation now...
On Wed, Jul 20, 2011 at 7:40 PM, jplee3 <[email protected]> wrote: > Actually, I found my answer (go figure) right after posting...doh > > http://groups.google.com/group/ossec-list/browse_thread/thread/86d708ca7f28b185/b63dfd63389f1824?lnk=gst&q=ignore+by+log#b63dfd63389f1824 > > > Looks like <hostname> does the trick. > > On Jul 20, 4:37 pm, "dan (ddp)" <[email protected]> wrote: >> Have you tried <location>? >> >> >> >> >> >> >> >> On Wed, Jul 20, 2011 at 6:57 PM, jplee3 <[email protected]> wrote: >> > Hey all, >> >> > Sorry if this was covered elsewhere, but I was wondering if it's >> > possible to setup chained rules (in this case, a rule to ignore) based >> > on log names. >> >> > Essentially, I would want to ignore a Rule 1002 (level="0") *IF* the >> > log source is /var/log/apache.log: >> >> > 2011 Jul 20 15:54:45 (server1) 10.1.4.125->/var/log/apache.log >> > Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' >> > Src IP: (none) >> > User: (none) >> > Error >> >> > Is this possible?
